nDPI TLS improvements using the server certificate

author: Luca Deri <deri@ntop.org> 2019-10-26 10:54:32 +0200
committer: Luca Deri <deri@ntop.org> 2019-10-26 10:54:32 +0200
commit: b603cb453069708a5e9e9f54312f25d889fd7232 (patch)
tree: ff0fd3f353d970e00b8473d55b10b111033b5f65 /src
parent: 8f2c7c0638c2d41a14b32a0dd4fedbb4eb75dc90 (diff)
4 files changed, 51 insertions, 9 deletions
diff --git a/src/lib/ndpi_content_match.c.inc b/src/lib/ndpi_content_match.c.inc
index 54ce263e6..d095e14ff 100644
--- a/src/lib/ndpi_content_match.c.inc
+++ b/src/lib/ndpi_content_match.c.inc
@@ -8579,7 +8579,8 @@ static ndpi_protocol_match host_match[] = {
   { "e7768.b.akamaiedge.net", NULL, "e7768\\.b\\.akamaiedge" TLD,      "Skype",            NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE },
   { "e4593.dspg.akamaiedge.net", NULL, "e4593\\.dspg\\.akamaiedge" TLD,"Skype",            NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE },
   { "e4593.g.akamaiedge.net", NULL, "e4593\\.g\\.akamaiedge" TLD,      "Skype",            NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE },
-
+  { "*.gateway.messenger.live.com", NULL, "\\*\\.gateway\\.messenger\\.live" TLD, "Skype",            NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE },
+  
   { ".tuenti.com", NULL, "\\.tuenti" TLD,                              "Tuenti",           NDPI_PROTOCOL_TUENTI, NDPI_PROTOCOL_CATEGORY_VOIP, NDPI_PROTOCOL_ACCEPTABLE },
 
   { ".twttr.com", NULL, "\\.twttr" TLD,                                "Twitter",          NDPI_PROTOCOL_TWITTER, NDPI_PROTOCOL_CATEGORY_SOCIAL_NETWORK, NDPI_PROTOCOL_FUN },
@@ -8669,7 +8670,6 @@ static ndpi_protocol_match host_match[] = {
   { "login.live.com", NULL, "login\\.live" TLD,                        "Microsoft",        NDPI_PROTOCOL_MICROSOFT, NDPI_PROTOCOL_CATEGORY_WEB, NDPI_PROTOCOL_SAFE },
 
   { "bn1301.storage.live.com", NULL, "bn1301\\.storage\\.live" TLD,               "MS_OneDrive",  NDPI_PROTOCOL_MS_ONE_DRIVE,NDPI_PROTOCOL_CATEGORY_CLOUD,  NDPI_PROTOCOL_ACCEPTABLE },
-  { "*.gateway.messenger.live.com", NULL, "\\*\\.gateway\\.messenger\\.live" TLD, "MS_OneDrive",  NDPI_PROTOCOL_MS_ONE_DRIVE, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE },
   { "skyapi.live.net", NULL, "skyapi\\.live" TLD,                                 "MS_OneDrive",  NDPI_PROTOCOL_MS_ONE_DRIVE, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE },
   { "d.docs.live.net", NULL, "d\\.docs\\.live" TLD,                               "MS_OneDrive",  NDPI_PROTOCOL_MS_ONE_DRIVE, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE },
   { "onedrive.live.com", NULL, "onedrive\\.live" TLD,                             "MS_OneDrive",  NDPI_PROTOCOL_MS_ONE_DRIVE, NDPI_PROTOCOL_CATEGORY_CLOUD, NDPI_PROTOCOL_ACCEPTABLE },
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index 6e99d522c..2c05d8f84 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -4578,6 +4578,8 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct
   if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) {
     if(flow->check_extra_packets) {
       ndpi_process_extra_packet(ndpi_str, flow, packet, packetlen, current_tick_l, src, dst);
+      /* Update in case of new match */
+      ret.master_protocol = flow->detected_protocol_stack[1], ret.app_protocol = flow->detected_protocol_stack[0];
       return(ret);
     } else
       goto ret_protocols;
@@ -6053,6 +6055,25 @@ static int hyperscanEventHandler(unsigned int id, unsigned long long from,
 
 #endif
 
+/* **************************************** */
+
+static u_int8_t ndpi_is_more_generic_protocol(u_int16_t previous_proto, u_int16_t new_proto) {
+  /* Sometimes certificates are more generic than previously identified protocols */
+
+  if((previous_proto == NDPI_PROTOCOL_UNKNOWN)
+     || (previous_proto == new_proto))
+    return(0);
+  
+  switch(previous_proto) {
+  case NDPI_PROTOCOL_WHATSAPP_CALL:
+  case NDPI_PROTOCOL_WHATSAPP_FILES:
+    if(new_proto == NDPI_PROTOCOL_WHATSAPP)
+      return(1);
+  }
+
+  return(0);
+}
+
 /* ****************************************************** */
 
 static u_int16_t ndpi_automa_match_string_subprotocol(struct ndpi_detection_module_struct *ndpi_str,
@@ -6109,7 +6130,8 @@ static u_int16_t ndpi_automa_match_string_subprotocol(struct ndpi_detection_modu
   }
 #endif
 
-  if(matching_protocol_id != NDPI_PROTOCOL_UNKNOWN) {
+  if((matching_protocol_id != NDPI_PROTOCOL_UNKNOWN)
+     && (!ndpi_is_more_generic_protocol(packet->detected_protocol_stack[0], matching_protocol_id))) {
     /* Move the protocol on slot 0 down one position */
     packet->detected_protocol_stack[1] = master_protocol_id,
       packet->detected_protocol_stack[0] = matching_protocol_id;
diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c
index 448062f47..fbb0578f8 100644
--- a/src/lib/protocols/stun.c
+++ b/src/lib/protocols/stun.c
@@ -38,7 +38,6 @@ struct stun_packet_header {
   u_int8_t  transaction_id[8];
 };
 
-
 /* ************************************************************ */
 
 u_int32_t get_stun_lru_key(struct ndpi_flow_struct *flow, u_int8_t rev) {
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 261f2ab28..c65d4fc69 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -67,7 +67,7 @@ static u_int32_t ndpi_tls_refine_master_protocol(struct ndpi_detection_module_st
 						 struct ndpi_flow_struct *flow, u_int32_t protocol) {
   struct ndpi_packet_struct *packet = &flow->packet;
 
-  protocol = NDPI_PROTOCOL_TLS;
+  // protocol = NDPI_PROTOCOL_TLS;
 
   if(packet->tcp != NULL) {
     switch(protocol) {
@@ -424,9 +424,25 @@ int getTLScertificate(struct ndpi_detection_module_struct *ndpi_struct,
 
 	      if(num_dots >= 1) {
 		if(!ndpi_struct->disable_metadata_export) {
+		  ndpi_protocol_match_result ret_match;
+		  u_int16_t subproto;
+		  
 		  stripCertificateTrailer(buffer, buffer_len);
 		  snprintf(flow->protos.stun_ssl.ssl.server_certificate,
 			   sizeof(flow->protos.stun_ssl.ssl.server_certificate), "%s", buffer);
+		  
+#ifdef DEBUG_TLS
+		  printf("[server_certificate: %s]\n", flow->protos.stun_ssl.ssl.server_certificate);
+#endif
+		  
+		  subproto = ndpi_match_host_subprotocol(ndpi_struct, flow,
+							 flow->protos.stun_ssl.ssl.server_certificate,
+							 strlen(flow->protos.stun_ssl.ssl.server_certificate),
+							 &ret_match,
+							 NDPI_PROTOCOL_TLS);
+
+		  if(subproto != NDPI_PROTOCOL_UNKNOWN)
+		    ndpi_set_detected_protocol(ndpi_struct, flow, subproto, NDPI_PROTOCOL_TLS);
 		}
 
 		return(1 /* Server Certificate */);
@@ -1111,11 +1127,16 @@ int tlsDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s
 	NDPI_LOG_DBG2(ndpi_struct, "***** [SSL] %s\n", certificate);
 #endif
 	ndpi_protocol_match_result ret_match;
-	u_int16_t subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, certificate,
-							 strlen(certificate),
-							 &ret_match,
-							 NDPI_PROTOCOL_TLS);
+	u_int16_t subproto;
 
+	if(certificate[0] == '\0')
+	  subproto = NDPI_PROTOCOL_UNKNOWN;
+	else
+	  subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, certificate,
+						 strlen(certificate),
+						 &ret_match,
+						 NDPI_PROTOCOL_TLS);
+	
 	if(subproto != NDPI_PROTOCOL_UNKNOWN) {
 	  /* If we've detected the subprotocol from client certificate but haven't had a chance
 	   * to see the server certificate yet, set up extra packet processing to wait
author	Luca Deri <deri@ntop.org>	2019-10-26 10:54:32 +0200
committer	Luca Deri <deri@ntop.org>	2019-10-26 10:54:32 +0200
commit	b603cb453069708a5e9e9f54312f25d889fd7232 (patch)
tree	ff0fd3f353d970e00b8473d55b10b111033b5f65 /src
parent	8f2c7c0638c2d41a14b32a0dd4fedbb4eb75dc90 (diff)